Puppet Class: security_baseline::rules::debian::sec_rsh

Defined in:
manifests/rules/debian/sec_rsh.pp

Summary

Ensure rsh server is not enabled (Scored)

Overview

The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text.

Rationale: These legacy services contain numerous security exposures and have been replaced with the more secure SSH package.

Examples:

class security_baseline::rules::debian::sec_rsh {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'manifests/rules/debian/sec_rsh.pp', line 27

class security_baseline::rules::debian::sec_rsh (
  Boolean $enforce = true,
  String $message = '',
  String $log_level = ''
) {
  if($enforce) {
    if(has_key($facts['security_baseline']['inetd_services'], 'srv_rsh')) {
      if($facts['security_baseline']['inetd_services']['srv_rsh']['status']) {
        file_line { 'rsh_disable':
          line     => 'disable     = yes',
          path     => $facts['security_baseline']['inetd_services']['srv_rsh']['filename'],
          match    => 'disable.*=',
          multiple => true,
        }
      }
    }
    if(has_key($facts['security_baseline']['inetd_services'], 'srv_rlogin')) {
      if($facts['security_baseline']['inetd_services']['srv_rlogin']['status']) {
        file_line { 'rlogin_disable':
          line     => 'disable     = yes',
          path     => $facts['security_baseline']['inetd_services']['srv_rlogin']['filename'],
          match    => 'disable.*=',
          multiple => true,
        }
      }
    }
    if(has_key($facts['security_baseline']['inetd_services'], 'srv_rexec')) {
      if($facts['security_baseline']['inetd_services']['srv_rexec']['status']) {
        file_line { 'rexec_disable':
          line     => 'disable     = yes',
          path     => $facts['security_baseline']['inetd_services']['srv_rexec']['filename'],
          match    => 'disable.*=',
          multiple => true,
        }
      }
    }
  } else {
    if (
      (has_key($facts['security_baseline']['inetd_services'], 'srv_rsh') and
      ($facts['security_baseline']['inetd_services']['srv_rsh']['status']))        or
      (has_key($facts['security_baseline']['inetd_services'], 'srv_rlogin') and
      ($facts['security_baseline']['inetd_services']['srv_rlogin']['status']))     or
      (has_key($facts['security_baseline']['inetd_services'], 'srv_rexec') and
      ($facts['security_baseline']['inetd_services']['srv_rexec']['status']))
    ) {
      echo { 'rsh-service':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}